Ajax cross-domain 302 response should be followed or not?

Ajax cross-domain 302 response should be followed or not?

I would like to understand if following is a valid firefox behavior or I am missing something.

Initial user action
1. User requests http://domainA.com/login2. domainA serves Login page from http://domainA.com3. User POSTs the login credentials to http://domainB.com via Ajax request. CORS is turned on by making xhr.withCredentials = true.
4. domainB.com is configured to respond to CORS requests from domainA.com.
5. A successful response is received (200). Cookie is set for domainB.com

Followup action by the user
6. Now user manually initiates Ajax request to another resources in domainA. http://domainA.com/myHome7. domainA does not find login cookie for domainA yet. So, domainA returns a 302 for a "loginValidation" resource on domainA itself.
8. Firefox transparently follows 302 to loginValidation resource.
9. As a response to domainA/loginValidation request, domainA responds with another 302 but this time to a loginValidation resource on domainB.
10. Firefox does NOT follow this 302.

In this whole process, the cross domain headers were present only for the first request.

>
> What do the exact requests look like? Cross-site redirects in cases
>
> where a preflight would be needed are not allowed in CORS, so make sure
>
> that your request is not falling in that bucket.
>
>
>
> -Boris